Over 20 Million Russian Tax Records Exposed in Privacy Snafu

Over 20 million Russian tax records were found publicly exposed in a misconfigured Elasticsearch database last month, in yet another privacy snafu.

Security researcher Bob Diachenko teamed up again with Comparitech to discover the unsecured server, which contained personally identifiable information (PII) on Russian citizens dating from 2009-2016.

Lacking password protection or any other authentication mechanism, the Amazon Web Services Elasticsearch cluster was first indexed by search engines in May 2018. Diachenko discovered it on September 17 and notified the Ukraine-based owner.

Although the researchers are still unclear what entity managed the database, it was made inaccessible three days after Diachenko raised the red flag.

The unencrypted PII included names, addresses, residency status, passport and phone numbers, tax ID numbers, and employer names and phone numbers. It sat exposed for over a year.

“The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data. Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area,” explained Comparitech’s Paul Bischoff.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over six million from 2009 to 2015.”

The data is highly sensitive and could be used to craft convincing follow-on phishing and identity fraud schemes.

Organizations across the globe are failing to protect their Elasticsearch databases. This year alone, researchers have used simple online search tools to find: 8TB of email metadata belonging to a leading Chinese university, 24 million financial records from multiple banks, a copy of the Dow Jones Watchlist containing 2.4 million records and PII on 82 million Americans exposed by a mystery company.

AWS S3 buckets and MongoDB instances are also commonly misconfigured, exposing countless organizations and their customers to the threat of data theft.